Mapping out Web apps attacks

A new report shows that while many attackers continue to stick with old techniques and targets, some are expanding their horizons in terms of tactics and victims

By Matt Hines

InfoWorld|Feb 11, 2008

Attackers continue to use well-worn techniques, such as SQL injection, to exploit holes in popular Web applications but have also moved on to other targets, including government sites, and newer exploit methods, such as cross-site request forgery, according to the latest report filed by the Web Applications Security Consortium.

The nonprofit industry group released the findings of its annual Hacking Incidents Database report this week, and despite the fact that cyber-criminals are still capable of using familiar means like SQL injection to victimize e-commerce sites and other transactional systems, a growing number of assailants are broadening their efforts and capabilities and going after new sets of targets, the research contends.

Based on WASC's in-depth investigations into roughly 80 individual attacks carried out during calendar 2007, the group concludes that data theft remains the primary goal of most incidents, representing 42 percent of all the events.

Surprisingly, site defacement -- thought to be a dying art in the world of profit-driven hacking -- actually still accounted for 23 percent of the attacks covered in the report, followed by exploits aimed at planting malware on sites at roughly 15 percent.

And while the lion's share of the incidents studied by the group revolved around the attempted theft of sensitive data that could be sold on the underground market or used to carry out fraud, the phishing threats of years past are increasingly becoming outnumbered by attacks that utilize malware code hidden on legitimate Web applications to victimize unsuspecting end-users, the group said.

Of all the threats studied by WASC in its report, 67 percent were designed specifically to derive some form of profit -- pointing to continued growth in the professionalism of those responsible for the attacks, researchers said.

"One of the biggest issues is that so much of this activity is being delivered directly though legitimate Web sites that are being hacked," said Ryan Barnett, a project leader at WASC who also serves as director of application security training at applications firewall vendor Breach Security, which sponsored the 2008 report.

"It used to be that as long as users didn't go to certain Web sites they'd be safe, but obviously, that's changing," he said. "SQL injection still works surprisingly well, so we're seeing plenty of those across the board, but you do also begin to see more use of things like cross-site request forgery, to which even greater numbers of sites might be vulnerable."

SQL injection, which attempts to use security vulnerabilities occurring in the database layer of applications to compromise them, still remains a weak point in some widely-used Web systems, in particular e-commerce sites, a reality that the researcher views as surprising based on the well-established history of the technique. However, CSRF threats, which attempt to hijack authenticated Web sessions to carry out their ploys, are becoming more common, while still far less frequent than SQL injections, according to the expert. Indeed, CSRF threats accounted for only 2 percent of the incidents tracked by WASC for the 2007 report, while SQL injections represented 20 percent, the most popular format for exploit.

Unintentional information disclosure, which involves sites that emanate such detailed authentication failures that hackers may use them to find a way in, was the second most popular format for attackers to break into applications at 15 percent, followed by cross-site scripting exploits, which use malware planted on legitimate sites to subvert end-users' machines, at 12 percent of the incidents.

In terms of the types of organizations being assailed by the attacks tracked by WASC, the group found that government agencies actually represented the largest group of targets.

Perhaps because financial services companies and retailers have improved their applications defenses, hackers have moved on to the government set as well as educational institutions, the report contends.

Some 29 percent of the incidents covered in the report targeted government agencies, followed by education at 15 percent, and retailers and media outlets tied at 12 percent.

In addition to attempts to steal data, WASC contends that government agencies may also be getting hacked by parties looking to embarrass or disable the organizations' sites based on ideological goals. Because government agencies are forced to report more of their security incidents publicly, hackers may merely be trying to force the organizations to admit that they have been exploited in public, the researchers said.